In areas such as penetration and website performance testing, it’s often easier to keep track of your testing efforts if you have multiple email addresses to work with. More widely - whether it’s for business or personal use - email aliases can make it much easier to keep your inbox organized and help protect against spam and phishing attacks.
If you use Gmail, there’s a simple and often overlooked syntax trick that can give you unlimited Gmail addresses without the hassle of opening multiple accounts. Here’s how it works…
How to create Gmail aliases using the + sign
- When you first sign up for a Gmail account, you choose a username (e.g. johndoe). This username becomes the first part of your email address (johndoe@gmail.com).
- You can append a plus (+) sign and any combination of characters after your username, but before the @ sign, (e.g. johndoe+abc123@gmail.com). Any emails sent to that address variation will still come to the primary inbox for johndoe@gmail.com.
- It works because the Google servers do not read the plus sign and anything that comes after it. When someone sends you an email, you’ll be able to see that they’ve used your alias (e.g. the message will show up as being addressed to johndoe+abc123@gmail.com) but it will still land in your primary inbox.
- This feature also works with Google Workspace accounts. So let’s say one of your Workspace email addresses is johndoe@doesecurity.com. Emails addressed to johndoe+signups@doesecurity.com will go to the same inbox.
Why the Gmail plus trick is more useful than the dot trick
There’s a further way to create Gmail aliases using dots. You can add as many dots as you want between characters before the @ sign (e.g. j.o.h.n.d.o.e.@gmail.com and Gmail will still deliver them to your primary inbox.
However, if you’re using aliases for testing, message tracking and organization purposes, it helps to be able to put in some explanatory text (e.g. johndoe+bank@gmail.com). Dots alone are harder to work with.
Also, the dot trick only works for email addresses ending in @gmail.com. It doesn’t work on Google Workspace accounts.
Ways to use email aliases
Here’s a few illustrations of how a Gmail alias can be a useful tool…
Take advantage of the same offer twice
Lots of online sellers have a sign-up bonus for new customers (e.g. 10% off your first order if you sign up to their newsletter).
Companies generally have filters in place to stop you from signing up to the same offer twice. However, if you use a Gmail + alias (together with a new username and a different payment method), you may be able to get around these filters.
Check who has your data
Who is this company, and how did they get into my inbox? A Gmail alias can give you answers.
Let’s say you’ve just found a brand that seems to roll out lots of cool discounts to its regular subscribers. You’d like to join their mailing list, but you’re suspicious about what they do with customer data.
You can subscribe to the list using a dedicated alias (e.g. johndoe+signup01@gmail.com). If everything’s in order, then the only emails you’ll receive using that address will be from the company you signed up to.
If other senders are contacting you via that address, then either the original company has given out your details without permission, or else they’ve been hacked, and your data is out in the wild.
Limit the impact of a data breach
Let’s say one of the companies you’re signed up to has had its customer data hacked. This potentially means that your email address and password are on a database that’s available for purchase over the dark web. Typically, criminals will use software to systematically go through the list, using those credentials to attempt to log into particular sites (e.g. banking platforms).
The best way to prevent unlawful access to your accounts is obviously to use unique passwords and multi-factor authentication wherever you can. However, taking a belt and branches approach, if you use aliases for different sites (e.g. yourname+cash@gmail.com for banking and yourname+insta@gmail.com for social), it makes it that little bit harder for the criminals to mount an automated attack.
Organize your inbox
Using handy suffixes (e.g. +work, +signup, +vacation), you can set up Gmail filters. For instance, you could configure your inbox so that all messages addressed to yourname+work@gmail.com are labelled ‘work’ and sent to a specific folder. It’s a good way of staying organized when you’ve got lots of business and personal stuff all going into the same inbox.
Penetration testing
If you are involved in penetration testing, you often need to test multiple levels of access. If you are using the same email address, it is difficult to track your results. Plus sign aliases can give you an infinite number of variations without the hassle of having to create multiple accounts.
These aliases can also be useful when running a social engineering penetration test. For instance, you are told that one of the companies you work for often receives payment requests from a business called xsupplies. So you create an alias (e.g. yourname+xsuppliespayable@gmail.com) to see if any messages you create are opened, clicked or have credentials entered by careless employees.
Website testing
You’re building a website for your new cyber security consulting business. You’ve got an email sign-up button on your homepage, sidebar and contact page. You want to make sure each one is working. You can test it by signing up using a different suffix for each one (+home, +side, +contact etc). If there’s a subscription missing from your list, you can immediately tell which button is broken.
The beauty of this approach is that you get multiple address variations, without having to open lots of different email accounts.
Let me know what ideas you have for using this gmail feature?
This is really useful. never knew this was possible.
I see a lot of advantages here. awesome!
Pleasure!
Very interesting and useful indeed!
Thank you.
Apparently Gmail no longer supports ‘+’ in account names. I attempted to apply this trick today, and it failed. I was able to use a dot in the account name without difficulty.
It works. I just tested it.
Sorry, but didn’t work. Gmail users name Only accept letters, numbers and (.)
I just tested it
Cjmolinac, I think you are mis-understanding what Nathan saying. You do not create a Google account with the +. You create account as normal then add in the + when filling out email field on websites that ask for your addy. I have tried this and it definitely works. Thanks, Nathan ?
Thats correct.
Yep, it (still) works.
This is a PEBCAK problem. At least of couple of posters here are totally misunderstanding how this is supposed to work. I mean, of course it still works! Nathan just wrote this article and I’m sure he did testing before posting!
Very informative. Thanks for sharing.
You are welcome.
Nice Gmail feature and I use it where I can.
But if we know this, so do those companies who have your email. Is it really safe? How long will it take before someone automates the process of stripping “+whatever” from Gmail addresses?
An online webstore probably not, but the bad guys will.
Indeed. I have been using it for years and it is still quite useful for searching and filtering emails.
However, all spam that still arrives is sent to the base address. Also, websites not accepting such format in the registration form are not rare.
True.
That is very useful. Thank you for sharing this.
My pleasure.
Very informative.
Thank you.
This no longer works for new signups. This stopped working months ago
It still works.
You don’t add the + when signing up.
Handy to know, can see how stripping the added text can be easily done to reveal main account though, as someone has suggested above.
:)
Really handy, thanks Nathan!
:)
Great article. I’ve been aware of these techniques for several years, but have had a hard time explaining it to novices. Nice ‘sharable’ article.
Thanks Valerie.
wow. It’s interesting… ??
:)
thanks for the info Nathan… now i realize why my Inbox is full of unsolicited mails using the (dot) and (+) pattern.
:)
I try to create email like you explain above but the message show up enter valid email address
its works with (.) too
How do I start
Thank you Nathan, this info was very helpful.
Couldn’t someone bypass the ‘alias’ by just knowing the + sign is ignored by google and then use your normal email before it? Good for robo emails but if its a person or a person looks over data and they know this then it doesn’t work.
Hi
The tips and tricks you bring are very interesting and helpful
Thank you
This is a new and interesting approach. Thanks for the knowledge.
Nice read! I will start using + from now on.